1
00:00:00,000 --> 00:00:05,875
>>Thank you for making out to
day three of Def Con. It is hard
for 90% of the audience. We're
2
00:00:05,875 --> 00:00:12,458
glad that you're here. First the
agenda. We're going to go over
the attacks surface on the cell
3
00:00:12,458 --> 00:00:18,958
phone. What you can find, what
is available to you. We're going
to be talking about testing
4
00:00:18,958 --> 00:00:24,083
environments both virtually and
the real world testing
environment and doing live
5
00:00:24,083 --> 00:00:30,083
demonstrations ‑ ‑
demonstrations at the end. My
name is Brian Gorenc. I run a
6
00:00:32,167 --> 00:00:39,500
research team, my responsibility
is running the zero initiative,
the world's largest vendor
7
00:00:39,500 --> 00:00:46,708
diagnostic program. And I'm also
responsible for running the
phone to own competition through
8
00:00:46,708 --> 00:00:52,833
the programs we have been able
to inject $10 million into the
white hat research marketplace.
9
00:00:52,833 --> 00:01:00,708
We're proud of that, outside of
that, I do a lot of hunting, but
typically they don't lead the
10
00:01:00,708 --> 00:01:07,750
vulnerabilities, only once in a
while. I'm also on twitter. >>
My name is Matt Molinyawe. I'm
11
00:01:07,750 --> 00:01:13,750
a researcher. I work for Ryan.
Pointers from there are really
delirious. I have hours of
12
00:01:18,250 --> 00:01:24,250
YouTube video that and watch at
work, because I work a lot. And
part of the fund team that
13
00:01:33,500 --> 00:01:39,500
helped Internet explorer 11 and
windows 8.1 and doing a lot of
cleanup, it is mess to clean up
14
00:01:43,083 --> 00:01:49,083
your mess, so it writes clean
and shiny. And I like scientific
calculators. In my free time, I
15
00:01:57,250 --> 00:02:03,250
go under DJ, I was a two time
finalist in AMC. So are some
pictures from DJ clips. And I
16
00:02:09,667 --> 00:02:15,667
also scratched on the 2014 song
security by chase. I also beat
contra using a laser in the top
17
00:02:19,208 --> 00:02:25,208
nine. [ Applause ] You can see
it on YouTube. I did it in like
17 minutes. I beat clog.
18
00:02:29,667 --> 00:02:37,667
National hero status. I do
martial arts. So anything I want
to say, do the shit out of the
19
00:02:37,667 --> 00:02:43,667
things you like to do. My name
is DJ on twitter, too. >> The
whole point of this talk is to
20
00:02:46,458 --> 00:02:50,042
‑ ‑ it is about Celly and what
is going to go through SMS/MMS.
What we like about this
21
00:02:50,042 --> 00:02:56,042
technology, it is always on, and
in your pocket. There is limited
defenses between you're the
22
00:03:00,500 --> 00:03:06,500
phone and attacker. Everything
going through the provider. A
lot of the vendors outside of
23
00:03:11,042 --> 00:03:18,917
apple and Google and those guys
once the phone has entered the
marketplace it is EOL. There is
24
00:03:18,917 --> 00:03:24,125
no engineering team out there
ready to push patches and no
real clean way to get a patch
25
00:03:24,125 --> 00:03:27,667
out through the field. We
experienced this a lot. We have
been trying to get patches out
26
00:03:27,667 --> 00:03:33,667
for the mobile area and it is
quite difficult. There has been
a lot of research in the area,
27
00:03:36,042 --> 00:03:41,833
of course. Every one rolling
around and doing their own
mutation. We're going to give
28
00:03:41,833 --> 00:03:47,375
you building blocks to get into
the area and get interested in
phones. In this case, we're
29
00:03:47,375 --> 00:03:55,083
using android devices in the
demonstration. So bug hunting
itself and what is available on
30
00:03:55,083 --> 00:04:01,042
the phone. For messages services
we have SMS, short messaging
service, it is a technology,
31
00:04:01,042 --> 00:04:07,042
many of you know this, but there
is actually different encoding
steps and different alphabets to
32
00:04:10,500 --> 00:04:16,500
send to the phone. Seven bit 160
characters, 140, and a 70
character UTF16 to the phone.
33
00:04:19,500 --> 00:04:25,958
You overlay messages and do
segmentation in the messages
using the data header. That's
34
00:04:25,958 --> 00:04:32,583
available to you, that is good
way for processing errors in
that type of segmentation and
35
00:04:32,583 --> 00:04:37,708
multimedia messaging services is
your gateway into sending
malicious audio and video file
36
00:04:37,708 --> 00:04:43,625
and pictures to the phone. Most
of these are processed without
user interaction. And it allows
37
00:04:43,625 --> 00:04:49,542
you to use it quickly. And the
community alert mobile system.
There are three different types
38
00:04:49,542 --> 00:04:56,667
of alert messages to send to a
phone. One is presidential, one
is eminent threats, weather, and
39
00:04:56,667 --> 00:05:02,292
then amber alerts. The
interesting thing about this
type of messaging, the user can
40
00:05:02,292 --> 00:05:07,792
opt out of the amber alerts and
threat alerts, but not the
president alerts. If you can
41
00:05:07,792 --> 00:05:12,583
find a venerability alert in
the presidential message you are
going to own a lot of people
42
00:05:12,583 --> 00:05:18,583
that way. On the screen, the
message that we got yesterday
sitting in the hotel room. Enjoy
43
00:05:23,042 --> 00:05:29,125
that. There's a lot of file
formats available through the
MMS protocol that will allow you
44
00:05:29,125 --> 00:05:36,000
to get, decode execution on the
phone itself. We listed some on
the slides. We actually just
45
00:05:36,000 --> 00:05:39,583
have the source codes looking
for the handlers for the various
file types. There is a lot of
46
00:05:39,583 --> 00:05:46,583
legacy formats on the phone
typically coded a long time ago,
they have not gone through a
47
00:05:46,583 --> 00:05:52,583
secure life cycle and an easy
bug in there, we found a bug or
two in the file formats while we
48
00:05:55,417 --> 00:06:02,167
were fuzzing. We are talking
about fuzzing itself. There is a
lot of existing workout there
49
00:06:02,167 --> 00:06:08,708
that you can leverage, if you
need fuzzing seeds there is good
locations you can also Google
50
00:06:08,708 --> 00:06:15,000
this file type, the file type
that you want to fuzz and get a
large corpus of data and send it
51
00:06:15,000 --> 00:06:20,625
to the libraries and then the
phone like we're about to show
you. And you can get mutation
52
00:06:20,625 --> 00:06:26,208
libraries for PDUs and things
like that. A lot of research in
the area. In this case we used
53
00:06:26,208 --> 00:06:32,750
our mutations, you will see that
in a video later on. It is easy
to do press pretajing, you role
54
00:06:32,750 --> 00:06:40,417
your own wrapper and have a
database to store it. So I'm
going it turn it over to Matt.
55
00:06:40,417 --> 00:06:46,417
He will go over emulation. >>
All right. We just pulled out
the android listed there. You
56
00:06:48,917 --> 00:06:56,292
can use these commands to create
armed devices. And ‑ ‑ you can
go through the UI by that
57
00:06:56,292 --> 00:07:02,292
command. It is easy to like
having the scripts rolling. So
if IOS there was not a good
58
00:07:05,542 --> 00:07:13,417
fall ‑ ‑ default message app on
there, for windows phone the
link is there. It has a
59
00:07:13,417 --> 00:07:18,833
messaging app. It looks pretty
dope. I didn't get a lot of time
to play with it much, but you
60
00:07:18,833 --> 00:07:25,958
can attack it from there. As far
as android, there are two
things. I used the android SDK
61
00:07:25,958 --> 00:07:31,958
that gives you the benefit of
the versions for the ones that
‑ ‑ something, you can have
62
00:07:37,333 --> 00:07:42,500
images and six images, but they
tend to be slow, they are going
through QMU, but emulation is
63
00:07:42,500 --> 00:07:48,500
slow, because it emulating
instructions on A6 or 64. And
this is a ‑ ‑ A6 virtual box
64
00:07:50,917 --> 00:07:56,917
machine. It is user friendly and
available at Jenny motion. For
debugging ‑ ‑ issued this
65
00:08:03,875 --> 00:08:08,958
command, this slide is mainly
for me. Because I forget stuff,
I will copy and paste this
66
00:08:08,958 --> 00:08:15,208
later. I should probably write,
screw it. But I'm super lazy and
need to get on that. A lot of
67
00:08:15,208 --> 00:08:21,208
stuff that people can do is
faster than me. You run GBD,
find your process. And you run
68
00:08:26,500 --> 00:08:34,125
the GDB for your harm and then
run the target remote command
and then your live debugging
69
00:08:34,125 --> 00:08:41,458
continues. That's it. If you
want to be cool, run python and
catch all of the output and send
70
00:08:41,458 --> 00:08:49,208
the commands and that all she
wrote. You could send it to a
database. So if scripting ‑ ‑
71
00:08:49,208 --> 00:08:55,208
basically ‑ ‑ um, you can
script SMS commands to the send
PDU command on the Telenet
72
00:08:58,417 --> 00:09:04,417
channel. There's a lot of prior
research here. A lot of gods are
there and they have already done
73
00:09:07,250 --> 00:09:12,500
that. So ‑ ‑ so I had, Matt and
I ‑ ‑ it is really awesome ‑ ‑
it is about three or four weeks
74
00:09:12,500 --> 00:09:18,500
of me telling, talking to myself
saying why do you suck so bad,
man, this is awesome. [ Laughter
75
00:09:21,917 --> 00:09:27,917
] So, so yeah. You guys should
just, if you have ‑ ‑ fields,
whatever, you don't have to, you
76
00:09:31,292 --> 00:09:38,208
will see much I failed. But if
you guys should fail fast and
fail often and then you'll
77
00:09:38,208 --> 00:09:44,750
eventually get success. But not
for me. Luckily for me I just
completely gave up and went
78
00:09:44,750 --> 00:09:50,667
straight to backing up MMS
messages using backup. So you
know, I did that and I pulled
79
00:09:50,667 --> 00:09:56,667
stuff from my phone and throw it
to an emulator and I know that
MMS is on an android emulator.
80
00:09:59,583 --> 00:10:05,583
Despite what the Internets. I
Googled three weeks and it
sucked. I was not getting
81
00:10:08,083 --> 00:10:14,083
success. So anyway, decompiled
the code. Worked, found out that
the MMS ‑ ‑ SMS/MMS file is
82
00:10:19,292 --> 00:10:25,292
where all of the good stuff is
stored. And I figured hey, I
don't have to write Java, I did
83
00:10:27,500 --> 00:10:33,500
that for seven years and got
tired if it, so I'm just going
to write python. So that's it.
84
00:10:36,708 --> 00:10:42,500
Okay. The two directors that you
see is where the database lives
and the assets that your
85
00:10:42,500 --> 00:10:49,292
database will point to. And the
tables that you see, that's, I
figured all of that out by
86
00:10:49,292 --> 00:10:55,208
sending a text message or
picture message to myself, it
would be in the sent folder but
87
00:10:55,208 --> 00:11:01,375
could not send, the emulators
can not taught to each other. So
I saw how the database was
88
00:11:01,375 --> 00:11:07,375
effected and after that played
with the values and get into the
inbox after that. So just push
89
00:11:11,083 --> 00:11:16,458
the database to your phones
reset the commissions and you're
set. Basically you can send, you
90
00:11:16,458 --> 00:11:23,958
know, taps and clicks to the
phone with monkey runner. So it
is unscriptable. Here I'm going
91
00:11:23,958 --> 00:11:29,958
to play this video. I'm pulling
down the database and generating
test cases. And I pulled down
92
00:11:32,458 --> 00:11:38,458
the page. Now, it is inserting
the test cases into the
database. And ‑ ‑ I believe the
93
00:11:42,542 --> 00:11:48,458
next ‑ ‑ blip that you will see
a little bit more. So now it has
inserted the database into the
94
00:11:48,458 --> 00:11:54,458
phone now it is sending all over
the JPEGs that were mutating.
Now I'm restarting the phone. So
95
00:12:06,000 --> 00:12:12,250
you reboot the phone, it will
initialize the database and load
this into your messaging app.
96
00:12:12,250 --> 00:12:18,250
You can see the red it is
working really hard. It is
working really hard processing
97
00:12:20,542 --> 00:12:28,042
stuff. Here we are clicking the
messaging app. It is going to
acquire it again. There you go,
98
00:12:28,042 --> 00:12:34,042
a thousand messages I threw
into the emulator. Now I'm going
to go and click through one of
99
00:12:36,667 --> 00:12:42,667
them. This is a big deal. I
thought this was not possible.
But hey it is working. Now you
100
00:12:44,792 --> 00:12:50,792
can click through your test
case. Cool. So that's our,
that's our picture that we
101
00:12:55,708 --> 00:13:01,708
inserted into the database. [
Applause ] This next test case,
I'm sorry. Yes? Go back. Okay.
102
00:13:09,750 --> 00:13:14,583
Yeah. This next little guy is a
picture from, of the canteen,
like I just pulled down the
103
00:13:14,583 --> 00:13:20,583
corpus of hacker fisher from
Coney Island, I thought it would
be funny to have a we dog
104
00:13:23,333 --> 00:13:30,500
situation. Here are pictures of
hackers hacking, I'm going to
screw with this. But anyway. [
105
00:13:30,500 --> 00:13:37,833
Laughter ] Okay. So I'm going to
turn it over to Brian. He is
going to talk about keeping
106
00:13:37,833 --> 00:13:45,667
real. >> So for the real world
app setup, you will need a set
of receivers and transserve s to
107
00:13:45,667 --> 00:13:51,667
send messages to the device. We
have been using the USP in our
lab. There is a lunch of SDR
108
00:13:54,500 --> 00:13:59,833
devices out there to allow you
to get the base station and get
the messages to your targets.
109
00:13:59,833 --> 00:14:04,875
Next is a mission if you're
trying to find zero base, it is
best not to be blasting them all
110
00:14:04,875 --> 00:14:09,750
over the place. Somebody,
especially at Def Con will pick
it up. We have a discloser on
111
00:14:09,750 --> 00:14:16,542
the stage. This is what we use.
We will talk about that more
later. It will isolate all of
112
00:14:16,542 --> 00:14:23,167
the radios inside of the box so
you don't use it. Next is the
software, this is a base station
113
00:14:23,167 --> 00:14:29,167
and it is very handy with ‑ ‑
USRP. Then you need your cell
phones, of course. We wanted to
114
00:14:37,208 --> 00:14:42,958
go try ‑ ‑ to do BTS. And
failed heavily. And Matt set it
up for me. I'm a loser. So we
115
00:14:42,958 --> 00:14:46,500
used the combination of source
environments. So ‑ ‑ we used
the combination of course codes
116
00:14:46,500 --> 00:14:52,500
some from the networks. We
referenced them heavily when
setting up open DTS. Because
117
00:15:06,792 --> 00:15:11,083
we're using a NSA research
device, you to build it with the
dash, dash and the UHB compiler
118
00:15:11,083 --> 00:15:15,208
to get the correct trance
receiver in there, that is
important to know. And the
119
00:15:15,208 --> 00:15:21,208
driver for the research device
from the company, there is a
link on slide, it will get the
120
00:15:23,958 --> 00:15:30,667
correct firmware on there and
understand what exactly is in
the SRP. So those who have not
121
00:15:30,667 --> 00:15:35,000
seen a USRP. That is what it
looks like. You can come up
after the talk and take a look.
122
00:15:35,000 --> 00:15:41,000
We are using 900 to do the waves
and the cable to connect it to
the closure. It looks like this.
123
00:15:45,917 --> 00:15:51,083
A Ramsey test equipment device.
It is used for forensic
investigations, when they grab
124
00:15:51,083 --> 00:15:57,083
the drug dealer's phone, they
throw it into it box. We use it
for fuzzing, you can manipulate
125
00:15:59,792 --> 00:16:05,792
the phone and keeps it isolated.
Next, a phone, your choice,
android, windows phone, apple,
126
00:16:08,750 --> 00:16:16,708
whatever. When we are do it in
our office, we are using the
AT&T database using the values
127
00:16:16,708 --> 00:16:22,708
listed on the slide. And the
using the card that is shown on
the slide right now. We picked
128
00:16:26,417 --> 00:16:32,417
this up as a big box store. How
much did all of this stuff cost?
A lot. Unfortunately. The RF
129
00:16:35,875 --> 00:16:42,792
enclosure is $3,000, but of
course, if you do find O dat
that cost is more, unless you
130
00:16:42,792 --> 00:16:48,792
sell it to us. We made a lot of
modifications to the box. We
have a lot of pass‑ throughs
131
00:16:51,417 --> 00:16:58,958
that allow us to do USB and
connections so you can actually
network. So we made
132
00:16:58,958 --> 00:17:04,958
modifications to the box and
debugging. The USRP itself,
after all of the boards ‑ ‑ it
133
00:17:09,375 --> 00:17:15,375
cost around $3,000. And then the
cell phones itself, you know,
unlock phones is about five
134
00:17:17,750 --> 00:17:25,625
hundred with all of the sim
cards and sim cutting tools you
need. It is about $6,500 to get
135
00:17:25,625 --> 00:17:30,542
into the market to actually find
bugs in a real world lab setup.
It is obviously cheaper
136
00:17:30,542 --> 00:17:36,542
depending on which SDR device.
A blade ‑ ‑ supports open SDR.
But I not gotten it successfully
137
00:17:43,458 --> 00:17:49,458
to work. Connecting the USRP on
android. You collect the mobile
networks operational, network
138
00:17:53,292 --> 00:18:01,250
operators it will such and look
for the base station and find
it, click home and register on
139
00:18:01,250 --> 00:18:06,458
the network. Then it will be
time to send your text messages
like you see on the slide. We
140
00:18:06,458 --> 00:18:12,458
have them, we have the elite
number, a (281)330‑ 8004. Go,
go ‑ ‑ >> Who? >> 1900 ‑ ‑
141
00:18:19,125 --> 00:18:25,042
sir‑ mix‑ a lot. You can send
whatever you want. You can spoof
any text message you want.
142
00:18:25,042 --> 00:18:31,042
That's what we're doing on the
stage. This is what it looks
like. It is actually connected
143
00:18:34,208 --> 00:18:41,042
to the USRP using the UHD driver
we talked about it. Looks like
this when it is ready to run.
144
00:18:41,042 --> 00:18:46,375
Once the phones are connected
you can actually use the command
to, to list the phones that are
145
00:18:46,375 --> 00:18:52,917
connected on the network. I have
the MSI if you want it. Then ‑
‑ sending message in open BTS ‑
146
00:18:52,917 --> 00:18:58,417
‑ simple. And sending basic text
messages looks like this, you
see the text messages coming in
147
00:18:58,417 --> 00:19:04,417
on the phone. [ Applause ] >>
Uh‑ huh. >> It looks like
somebody getting shot. >> Look,
148
00:19:11,792 --> 00:19:17,792
like Mike Jones showed up. So
we'll continue on real quick.
The live demonstrations we are
149
00:19:22,708 --> 00:19:28,750
fuzzing the phones you can hear
them beeping in the background.
There is live fuzzing going on
150
00:19:28,750 --> 00:19:33,917
the stage. You more than welcome
to come out and check it out
afterwards. You can see like
151
00:19:33,917 --> 00:19:41,125
thousands of text messages on
the phones. And there is also a
quick emulator setup? >> All
152
00:19:41,125 --> 00:19:47,167
right. So if this guy, we just
did the remote debugging to show
you the test case. I clicked it,
153
00:19:47,167 --> 00:19:53,167
bam it is all messed up now,
man, it will feedback to the
phone saying cannot support it,
154
00:19:56,333 --> 00:20:02,333
but guess what, yeah. It does.
Oh, man. >> Okay. >> Good stuff.
>> So the last guy tried to do
155
00:20:07,542 --> 00:20:11,042
a demo. Should I give you the
shot before or after the demo.
After the demo. I will let you
156
00:20:11,042 --> 00:20:19,000
decide. >> The demo didn't work.
>> He today are taking it before
the demo. >> All right. New
157
00:20:19,000 --> 00:20:23,208
speakers. You guys have been
sucking. Show some love for
these guys. [ Applause ] >>
158
00:20:23,208 --> 00:20:29,208
Shots. All right. A shout‑ out
right there. Good clap for this
guy right here. So final slide,
159
00:20:36,250 --> 00:20:42,250
these our targets a lot of data,
a lot of person. Information and
corporate information. This
160
00:20:50,208 --> 00:20:56,208
industry needs a wake‑ up call.
They cannot handle patches. If
there are venerability in the
161
00:20:58,875 --> 00:21:05,375
cell phone, there is a good
chance outside of apple and
Google you're going to have a
162
00:21:05,375 --> 00:21:08,583
really hard time patching this.
This is the appearance that we
had with patching
163
00:21:08,583 --> 00:21:13,792
vulnerabilities in the mobile
space. They need a wake‑ up
call, I hope the industry steps
164
00:21:13,792 --> 00:21:21,333
up and gets them to actual do
that. It is 2014. Whatever, you
should not be sitting here not
165
00:21:21,333 --> 00:21:26,250
being able to patch the software
on a mobile device. I find that
unacceptable. There is a
166
00:21:26,250 --> 00:21:32,833
decreasing barrier of entry for
this fuzzing. The SDR equipment
is becoming cheaper. You can
167
00:21:32,833 --> 00:21:38,833
possibly use the blade eRF to do
the same type of research. It is
getting cheaper as SDR is more
168
00:21:41,125 --> 00:21:46,958
popular. We learned that all of
the defuzzing on the desktops
transfers over here to fuzzing
169
00:21:46,958 --> 00:21:54,375
in mobile space. It is not as
hard as it looks. We recommend
people get in it. If you find
170
00:21:54,375 --> 00:22:01,417
zero days we are a bug buying
program, we would be happy to
buy them from you. We will buy
171
00:22:01,417 --> 00:22:08,667
the bugs off of you. It is worth
getting into. There is a lot of
vulnerabilities in the space.
172
00:22:08,667 --> 00:22:13,458
And ‑ ‑ you know, they really
need a wake‑ up call in the
industry. Hopefully you use this
173
00:22:13,458 --> 00:22:19,458
information to find good
vulnerabilities. Thank you for
coming out. [ Applause ]